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Abstract 

The  results  in  this  paper  contribute  to  the  formulation  of  a semantic  theory  of  dynamic 
binding  (fluid  variables).  The  axioms  and  theorems  are  language  independent  in  that 
they  don't  talk  about  programs  - i.e.  syntactic  objects  - but  just  about  elements  in 
certain  domains.  Firstly  the  equivalence  (in  the  circumstances  where  it's  true)  of  '‘tying 
a knot"  through  the  environment  (elaborated  in  the  paper)  and  taking  a least  fixed  point 
is  shown.  This  is  central  in  proving  the  correctness  of  LISP  ‘‘eval*  type  interpreters. 
Secondly  the  relation  which  must  hold  between  two  environments  if  a program  is  to 
have  the  same  meaning  in  both  is  established.  It  is  shown  how  the  theory  can  be 
applied  to  LISP  to  yield  previously  known  facts 

% 

u> 


- / - 


ACKNOWLEDGEMENTS 


Thanks  to  John  Allen,  Rod  Burstall,  Friedrich  von  Henke,  Robert  Milne,  Gordon 
Plotkin,  Bob  Tennent  and  Chris  Wadsworth  for  helpful  discussions  and 
correspondence.  John  Allen,  Dana  Scott  and  Akinori  Yonezawa  suggested 
improvements  and  pointed  out  errors  in  preli  ninary  drafts  of  this  report. 

This  researcn  was  supported  in  part  by  the  Advanced  Research  Projects  Agency  of  the 
Office  of  the  Secretary  of  Defense  under  contract  DAHC  15-73-C-0435,  ARPA  order 
no.  2494. 

The  views  and  conclusions  in  this  document  are  those  of  the  author  and  should  not  be 
interpreted  as  necessarily  representing  the  official  policies,  either  expressed  or  implied, 
of  the  Advanced  Research  Projects  Agency  or  the  US  Government. 


CONTENTS 


SECTION  PAGE 

1.  Introduction 1 

2.  Informal  Discussion  of  Results 2 

3.  Formalisation 3 

3.1.  Knots  and  Fixed  Points 3 

3.2.  Equivalent  Environments 7 

4.  Proofs 8 

5.  Application  to  LISP 1 1 

5.1.  Syntax 12 

5.2.  Some  Notation 12 

5.3.  Semantics 13 

5.3.1.  Denotation  Domains 13 

5.3.2.  Environment  Domain 13 

5.3.3.  Semantic  Functions 13 

5.3.4.  Semantic  Equations 13 

6.  Existence  of  Predicates 18 

7.  Concluding  Remarks 24 

8.  References 25 


3L  Introduction 
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The  art  of  semantics  is  now  sufficiently  developed  that  most  computer  languages  can  be 
given  concise,  elegant  and  intuitive  formal  descriptions.  The  theory  of  these 
descriptions  is  well  enough  understood  that  useful  facts  - such  as  the  correctness  of 
implementations  - are  fairly  straightforward  to  prove.  Unfortunately  proofs  tend  to  be 
very  long  and  the  results  obtained  rather  lacking  in  generality.  For  example  the  proof  of 
correctness  of  an  implementation  for  one  language  has  to  be  redone  for  a similar 
implementation  of  another.  Of  course  once  the  proof  idea  is  known  no  real  creative 
acts  are  needed  in  applying  it  and  thus  a certain  amount  of  generality  is  obtained. 
However  this  generality  isn't  of  a type  that's  easy  to  use  (except,  pehaps,  by  people 
with  considerable  knowledge  of  the  underlying  theory).  A more  direct  way  of  being 
general  is  to  isolate  explicitly  the  assumptions  used  and  then  to  prove  tne  results  from 
these.  Then  to  apply  such  a result  one  just  needs  to  check  the  language  satisfies  the 
appropriate  "axioms"  - and  this  will  normally  be  much  less  demanding  than  redoing  a 
whole  proof  by  analogy  with  an  existing  one. 

In  this  note  I've  formulated  abstract  versions  of  two  results  about  languages  which  use 
dynamic  binding  of  free  variables.  Initially  these  were  proved  for  LISP  (they  were 
needed  in  proving  the  correctness  of  an  implementation).  The  abstract  versions 
described  below  can  be  instantiated  to  yield  the  LISP  ones.  Athough  the  two  results 
proven  are  completely  language-independent  (in  that  they  don't  talk  about  programs  - 
i.e.  syntactic  objects  ■■  but  just  about  elements  in  certain  domains)  they  aren't  as 
general  as  one  might  hope,  Some  situations  in  which  dynamic  binding  is  used  and  which 
intuitively  should  fall  under  their  compass  don't.  This  is  a defect  of  the  present  work  - I 
don't  think  it's  a necessary  difficulty. 


2.  Informal  Discussion  of  Results 
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When  reasoning  about  programs  it's  often  useful  to  be  able  to  exhibit  the  denotation  of 
a recursive  procedure  as  the  least  lixed  point  of  some  functional.  Doing  this  enables, 
for  example,  computation-induction  to  be  used.  The  first  result  to  be  discussed  helps 
with  this  as  It  concerns  the  equivalence  (in  certain  circumstances)  of  "tying  a knot" 
through  the  environment  (elaborated  below)  with  taking  a laast  fixed  point.  Besides 
being  of  interest  in  its  own  right,  this  result  is  at  the  heart  of  the  correctness  of  LISP 
eval  type  interpreters.  Hopefully  the  abstract  version  wiill  assist  in  proving  the 
correctness  of  similar  interpreters  for  other  languages. 

The  way  recursive  definitions  are  hsnoled  by  many  LISP  implementations  is  to  bind  the 
body  of  the  function  to  its  own  name  on  the  alist.  This  creates  a circularity  or  "knot"  in 
which  places  inside  the  function  body  (namely  recursive  calls)  point  back  to  the 

beginning  of  the  function.  Now  the  standard  analysis  of  recursion  is  via  the  Y-operator 
(i.e.  in  terms  of  least  fixed  points)  and  consequently  in  proving  the  correctness  of 
"knotting"  interpreters  with  respect  to  standard  semantics  it's  necessary  to  ascertain 
the  conditions  under  which  "knotting"  and  fixedpointing  are  equivalent.  Contrary  to  what 
one  might  expect  they  aren't  always  the  same.  This  is  shown  below. 

The  second  result  concerns  what  relation  needs  to  hold  between  two  environments  a, a' 
(alist s in  the  case  of  LISP)  for  a form  e to  evaluate  to  the  same  values  in  both  a and  a'. 


Call  this  ondition  "a=,a'u. 
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A first  guess  might  be  that  the  two  environments  must  agree  on  the  free  variables  of  e 
(as  is  the  case  for  terms  in  predicate-calculus  or  the  A-calculus).  This  won't  do 
however  for  although  a and  a'  might  agree  on  e's  free  variables  the  things  they  bind  to 
these  might  depend  on  other  variables  not  free  in  e and  on  which  a and  a'  differ  (e.g.  if 
e=x,  a and  a'  both  bind  x to  y but  a binds  y to  1 whilst  a'  binds  it  to  2).  What  is 
clearly  needed  is  that  a and  a'  agree  on  e's  free  variables  and  on  the  variables  free  in 

the  things  bound  to  these  variables  etc. 

To  formulate  this  for  LISP  one  just  needs  a recursive  definition  like; 

a=*a'  <=s>  Vx.  [ x free  in  e =>  a(x)=a'(x)  and  as,U)a'  ] 

Now  given  a syntax  for  e's  its  easy  to  formalise  "x  free  in  e"  - the  difficulty  arises  if 
one  wants  a syntax  independent  definition.  What's  needed  is  an  abstract  notion  of 
free-ness  applicable  to  elements  of  the  type  denoted  by  & (and  hopefully  denoted  also 
by  programs  from  languages  other  than  LISP).  I describe  such  a notion  below. 

3.  Formalization 

3.1.  Knots  and  Fixed-points 

Before  proceding  with  abstract  formulations  of  the  above  it's  necessary  to  describe  the 
environments  needed  to  handle  dynamic  binding.  Let  D be  an  arbitrary  domain  of 
expression  values  and  let  Emi'/tf-^o  be  the  associated  domain  of  environments. 
Elements  of  l/0  are  - in  the  case  of  dynamic  binding  - denotations  of  objects  which  may 
contain  free  variables  and  so  might  still  depend  on  the  environment.  Hence  V0=Er\v-*D 
and  thus  Env  must  satisfy  Env=!d-*/ Env-*DJ. 
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It  turns  out  to  be  necessary  (see  lemma  8 below)  to  require  in  addition  that  If 
pc£n v then  p is  strict  i.e.  pQ .)-x  thus  if  fDl-*D2J  is  the  domain  of  strict 
continuous  functions  from  to  D2  then  Env  must  have  type  satisfying: 
Env=ld~*[  Env*D/. 

From  this  one  can  immediately  formulate  what  it  means  for  "knotting"  and  fixedpointing 
to  be  the  same  viz.  we  require  for  and  p(Env: 

v(p[v/x])=Y(F„(v))p  where  F,(v)=Xv'.Ap'.v(p'[v'/x]) 

T T 

knot  fixedpoint 

here  p[v/x]  is  p updated  to  bind  v to  x.  Unfortunately  this  equality  isn't  true  in 
general. 


For  example  if; 


v=Ap'.p'(y)p' 

p=±[(Ap',d)/x][(Ap'.p'(x)p)/y] 
Then  it  turns  out  that  v(p[v/x])=d/J.=Y(F,(v))p. 

For  we  have;  v(p[v/x])=(p[v/x])(y)(p[v/x]) 

-p(y)(p[v/x]) 

=(Ap'.p'(x)p)(p[v/x]) 

»(p[v/xj)(x)p 

=v(p) 

-p(y)p 

«(Ap'.p'(x)p)p 

=p(x)p 

=(Ap'.d)p 

-d 


(where  y€/af) 
(where  x?^d€D) 


(by  definition  of  v) 
(by  definition  of  p) 

(by  definition  of  v) 
(by  definition  of  p) 

(by  definition  of  p) 


And  as  Y(F,(v))p-JnF,(v)n(x)p  and 
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Fx(v)n(j.)p=i.  implies 

F,(v)n’1(j.)p=Fx(v)(F„(v)n(j.))p 
=v(p[Fx(v)n(  J.)/x]) 

a(p[lr,(v)r'(J-)/x])(y)(p[Fx(v)f'(x)/x])  (by  definition  of  v) 
=(*pVp'(x)p)(p[Fx(v)"U)/x])  (by  definition  of  p) 
=Fx(v)n(j.)p=± 

It  follows  by  induction  on  n that:  Vn.  Fx(v)ft(j.)p-i  and  so  Y(F„(v))p=j. . 

In  [1]  and  [2]  it  is  shown  that  for  v's  and  p's  which  are  the  denotations  of  LISP 
functions  and  aiists  respectively  the  equation  v(p[v/x])=Y(Fx(v))p  does  in  fact  hold. 
The  proof  use  wos  very  specific  to  LISP  (being  essentially  an  induction  on  the  size  of 
computations  on  a certain  abstract  interpreter).  Mow  hopeiully  the  result  should  hold 
for  dynamic  binding  in  general  rather  than  just  for  LISP.  Thus  the  problem  arises  of 
isolating  and  stating  those  properties  of  dynamic  binding  which,  when  possesed  by  v 
and  p,  entail  v(p[v/x])»Y(Fx(v))p.  To  do  this  we  need  to  introduce  recursively 
defined  (but  not  necessarily  monotonic)  relations  of  the  type  first  studied  by  Milne  [5] 
and  Reynolds  [7].  Using  these  we  can  then  provide  a (partial)  abstract  characterisation 
of  dynamic  binding  by  defining  a notion  of  "regular"  for  which: 

v,  p regular  =>  v(p[v/x])=Y(Fx(v))p 

From  now  on  x,x',x" y,y',y"  etc.  will  range  over  Id,  X,Y  will  range  over  subsets  of 

Id.  p,p',p" will  range  over  Env.  v,v',v"  wili  range  over  V0=Env-*D  and  d,d',d"  will 
range  over  D. 
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Using  techniques  developed  by  Robert  Milne  of  Oxford  [5]  one  can  show  that  there 
exist  predicates  of  types: 
ocEnv  x Env 

«*cV0  x V0  (one  for  each  x</ef) 

*cEnv  x Env 

*cVD  x Vo 

which  are  directed-complete  (i.e.  if  they  hold  of  each  member  of  a directed  set  then 
they  hold  of  the  union)  and  satisfy: 


p<p’ 

<=>  Vx.  p(x)<J*p'x) 

Vo'v' 

<=>  Vp,p'.  [ pop'  => 

v(p[v/x])  E V'(P'[V'/X])  ] 

P+P’ 

<==>  Vx.  p(x)+p'(x) 

v+v' 

<=>  Vp,p'.  [ pop'  => 

v(p)  E V'(p')  ] 

One  can 

then  show  that: 

v+v' 

■>  voxY(Fx(v')) 

v'+v 

*>  Y(Fr(v'))oxv 

And  as  it  also  turns  out  that  p+p'  pop'  we  have: 
v*v(p*p  ■*>  v(p[v/x])-v(p[Y(F>(v))/x])-Y(Fx(v)) 

Thuc  a definition  of  "regular"  which  works  is  given  by: 

Definition  1 

v:Env-*D  and  p:Env  are  regular  <=>  v+v  and  p+p 

To  apply  this  to  LISP  one  just  shows  that  the  denotations  of  forms  and  alists  are 
regular,  this  is  done  in  section  5. 

In  the  next  section  proofs  of  the  a!  ove  assertions  will  be  given  relative  to  the 
existence  of  the  predicates.  This  existence  (which  can't  be  shown  with  the  Y-operator, 
as  the  necessary  functionals  aren't  continuous)  will  be  proved  in  section  6. 


3.2.  Equivalent  Environments 


The  formulation  of  the  result  about  free  variables  also  requires  the  use  of  Milne  style 
recursive  predicates  viz.: 

4cl/0*  {XIXc/oT} 

=x  c Env  x Env  (one  for  aach  Xcld) 

Where  intuitively  $(v,X)  means  the  free  variables  of  v are  included  in  X and  p=xp' 

means  p and  p'  "strongly"  agree  for  all  x(X.  Formally  we  require  that: 

$(v,X)  <=>  VY ,p,p'.  [ XcY  =>  [ p=vp*  =>  v(p)=v(p')  ] ] 
p=xp'  <=>  Vx(X.  p(x)=p'(x)  and  4(p(x),X) 

In  section  5 below  I'll  show  that  if  e is  a LISP  form  which  denotes  G- He U and  if 

vs(e)={xlx  is  free  in  e}  then  4((?[[e]],vs(e)).  From  this  it  follows  (via  the  definition  of 

p=vs(#)p')  that: 

Vp,p'.  [ p=v8<,y  ->  ff[[ej3(p)=Cr[[e]](p')  ] 

In  particular  if  e has  no  free  variables  then  s(e)»{}  and  (since  it's  clear  that  for  any  p 
and  p':  p=!lp')  we  have  ®[[e]](p)=(?[[e]](p'). 

Somewhat  less  trivially:  if  Vx<vs(e).  p(x)=p'(x)  and  eiso  p(x)  is  a constant  function  (i.e. 
is  an  environment  independent  quantity)  then  again  p=v,(,)p*  and  so 
^Ee]](P)=ft[[®]](P')'  This  last  example  corresponds  to  the  case  for  static  binding  - i.e. 
when  objects  have  all  their  free  variables  bound  by  the  time  they  themselves  are 
bound.  The  existence  of  $ and  =x  will  be  discussed  in  section  6. 
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4.  Proofs 

Readers  from  now  on  are  assumed  to  be  familiar  with  notations  commonly  employed  in 
t ho  lit  jrature  on  Mathematical  Semantics. 

A "domain"  is  a partially  ordered  set  in  which  each  directed  subset  has  a least  upper 
bound.  This  notion  of  domain  is  used  (rather  than  complete  lattices)  for  minor  and 
nonessential  technical  reasons  (see  [1]  for  a discussion). 

The  domain  intended  by  Env=ld-*{  Env-*D/  is  the  mrmal  solution  of  the  equation  i.e.  if 

id,d  are  retracts  of  a universal  domain  (eg  Scott's  DJ  which  represent  Id  and  !) 

respectively  (in  the  sence  that  /d={x|x=id(x)}  and  D={xlx*d(x)})  then 

Y(Ae.id-*(e-kd))  represents  Env.  (here  a-*b=Au.Ax.b(u(a(x)))  and 

a-»b=Au.Ax.b(str(u)(a(x)))  where  str(u)“Ax.(x*i.->i.,u(x).‘  ).  From  this  minimality  it 

follows  that  there  are  mappings  Ap.pn:Emr*Emi  such  that: 

(PI)  ±=p0  sp,  e e p„  £ Ep 

<P2>  p=  Upn 

\P3)  (Pn)m“®rmn(n,ri., 

(P4)  pn4i(x)p'*p(x)o'n 

In  fact  if  Env  is  represented  as  above  then  pn=(Ae.id-*(e-»d))n(i.)(p).  For  vtfEnv-*DJ 
vn  is  defined  by  vn(p)=v(p„).  (P4)  can  thus  be  written  as:  pn,,(x)=p(x)n  and  it  is  easy 
to  sb  -w  (see  [1]  for  details)  that.  p[v/x]n.|=pn,i[vn/x]. 

I shall  prove  [ v*v'  =>  1 ^YfF^v'))  ] bv  showing  (by  induction  on  n)  that  [ v+v'  => 
vn«*Y<F,(v'))  ] c,  .d  then  take  a limit.  Similarly  [ v*v'  =>  Y(F,(v))o*v'  ] will  be 
proved  by  showing  that  for  all  n;  [ v*v'  =>  F,(v)n(j_)(v)<ixv'  ]. 
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The  following  rather  ad-hoc  looking  definition  enables  the  clean  statement  of  some  of 
the  lemmas  below: 

Definition  2 

F:l/0-M/ d ic  "invarient  at  x"  <=>  Vp,v.  F(v)(p[F(v)/x])=v(p[F(v)/x]) 

The  useful  applications  of  this  definition  are  given  in  the  next  lemma. 

Lemma  1 

For  all  x (Av.v)  and  (Av.Y(Fx(v)))  are  both  invarient  at  x. 

Proof 

Trivial  for  (Av.v),  for  (Xv.Y(Fjv))  use  the  fixed-point  property  of  Y. 

QED. 

Lemma  2 

If  F is  invarient  at  x and  v*v>  then  Vn.  v^Ttv'). 

Proof 


r =0:  Must  show  v0oxF(v') 

i.e.  pop'  =>  v0(p[v0/x]>  = FW')(p[F(v')/x]) 
i.e.  pop'  =>  vU)  = v'(p[F(v')/x]) 

OK  as  v*V  and  ±«p[F(v')/x] 


n>0:  Assume  true  for  n-1.  Let  pop',  Must  show  vn(p[vn/x])  = F '')(p[F(v')/x]) 

i-'<Pn[v„.,/x])  £V'(p[F(v')/x]) 
need  Pn[vn.,/x]op[F(v')/x] 
need  vn.,o*F(v')  - OK  by  induction. 


QED. 
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Lemma  3 

If  F is  invariant  at  x and  v+v'  then  vo*F(v') 

Proof 

Trivial  from  lemma  2 as  v-Uftvn  and  o*  is  directed-complete. 

QED 

Lemma  4 

Vx.  [ v*v'  =>  v^v'  ] 

Vx.  [ v+v'  =>  vo«Y(Fx(v'))  ] 

P roof 

Trivial  consequence  of  lemmas  1 and  3 . 

aED. 

Lemma  5 

If  F is  invarient  at  x and  v+v'  ;hen  Vn.  Fx(v)n(±)oxF(v'). 

Proof 
n=0:  Trivial 

n>0;  Assume  true  for  n-1.  Need  pop'  =>>  Fx(v)n(j.)(p[Fx(v)nU)/x])  = F(v')(p[F(v')/x]) 

i e.  pop'  »>  v(p[Fx(v)n-'U)/x])  s v'(p[F(v')/x]) 

OK  if  Fx(v)''-|(.l)o*F(v')  - true  by  induction 

aED 

Lemma  6 

If  F is  invarient  at  x and  v+v'  then  Y(Fx(v))o*F(v'). 

Proof 

Trivial  from  lemma  5 as  Y(Fx{v))=UnFx(v)n(±)  and  o*  j$  directed-complete. 


aED. 
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Lemma  7 

Vx.  [ V*V'  =>  Y(Fx(v))<ixV'  ] 

Vx.  [ v+v'  =>  Y(Fx(v))«xY(Fx{v'))  ] 

Proof 

Trivial  application  of  lemma  1 and  lemma  6. 
Q.ED. 


Theorem  1 


If  v and  p are  regular  then  v(p[v/x])=  Y(Fx(v»p 
Proof 

By  lemma  5 and  lemma  7 we  have: 

Y(Fx(v)Kv 

v«xY(F„(v)) 

hence  from  the  definition  of  <jx 
Y(Fx(v))(p[Y(Fx(v))/x])  £ v(p[v/x]) 
v(p [ v/x])  S Y(Fx(v))(p[Y(Fx(v))/x]) 
hence 

Y(Fx(v))(p[Y(Fx(v))/x])=v(p[v/x]) 

Finally,  using  the  fixed-point  property  of  Y on  the  left  hand  side  of  this,  we  get: 
Y(Fx(v))p=v(p[v/x]) 

Q,ED. 


5.  Application  to  LISP 


In  this  section  D will  be  specialized  to  a domain  appropriate  for  pure  LISP  and  then  the 
abstract  results  described  above  will  be  shown  to  hold  of  the  denotations  of  LISP 
programs. 

The  semantics  of  LISP  used  here  will  only  be  described  in  barest  outline.  For  furthur 
details,  motivation  and  justification  see  [1]  and  [2]. 
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5.1.  Syntax 


The  syntax  of  LISP  (as  described  in  the  manual  [4]  and  in  the  notation  of  [9])  is  given 
by  the  equations: 

e ::=  A | x | fn[e,;...;ej  | [e|1->e|2;,..;en|->efl2] 
fn  F | f | A[[xt;...;xn];e]  | label[f;fn] 

F ::=  car  | cdr  | cons  j atom  | eq 


where  the  ranges  of  the  variables  e,A,x,fn,F,f  are  as  follows: 


A 

ranges 

over 

<S-expression> 

(as  in  page  9 of  [4]) 

x,f,z 

range 

over 

<ldentifier> 

(as  in  page  9 of  [4]) 

e 

ranges 

over 

<form> 

(as  defined  above) 

fn 

ranges 

over 

<function> 

(as  defined  above) 

F 

ranges 

over 

<standard  function> 

(as  defined  above) 

I use  meta- variables  x,f,z  to  range  over  <identifier>:  x is  used  in  contexts  where  the 
identifier  is  a form,  f where  it's  a function  and  z where  it  could  be  either. 


5.2.  Some  Notation 


In  the  semantics  below: 


flat(S)=S  U {±}  ordered  by  Vs(S.  ± s s. 

As1,...,sn.E<8„...,sn>  = A s s ,=-1.  or  s2=x  or  ...  or  ->  ± , E(s„...,8n)) 

car.cdr.cons.atom.eq  are  the  appropriate  functions  on  S=flat(<S-expression>). 

Whenever  an  expression  v of  type  S,  /Erw-*S/  or  / Env+FunvalJ  occurs 
in  a context  requiring  something  of  type  (Env->DJ  then  v means  (i.e  should  be 
"coerced"  into)  (Ap.vinD),  (Ap.v(p)  infl)  and  (Ap.v(p)  inD)  respectively. 
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5.3.  Semantios 

5.3.1.  Denotation  Domains 

D=S+Funval 

S=flat(<S-expression>) 

Funval=/S*-*SJ 

5.3.2.  Environment  Domain 

Envald-*/Env-*D ) 

5.3.3.  Semantio  Functions 

(f  :Form-*f  Env~*S  J 

*8:  Function-*/  Env~*Funval/ 


5.3.4.  Semantio  Equations 


(SI) 

<S2) 

(S3) 

(fHfn[e, 

<S4) 

® H[®l  l“*©,2i— *en 

<S5) 

f 

( 

GMp  = A 
®Mp  = p(x)p|S 
(fHfn[ei;...;en]]p  = ft|[fn]]p(GEe1]]pl.../f[[en]]p) 


(SS) 

<S7) 

<S8) 


*5Hcdr]]p  = cdr 
8?[[cons]]p  = cons 
8[[atom]]p  = atom 
ft([eq]]p  - efl 

STffjlp  = p(f)p|Funta/ 

8EM[x,;...xJ;e]j]p  - A8„...,8n:S.Gl[e]p[81/x1]...[8n/xn] 
5([label[f;fn]]Jp  = Y(F,($I[fn]]))p 
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Theorem  2 below  shows  that  the  denotations  of  LISP  forms  and  functions  are  regular 
and  so  Theorem  1 can  be  applied  to  them. 


Theorem  2 


(f He ]]<•(? [LeU  and  $[[fnU*3:[[fnU 

Proof 

A straightforward  induction  works.  The  details  are  as  follows; 

Assume  pop'.  I must  show  tt[[e]]p  £®[[e]]p'  and  t?Hfn]]p  s5$Hfn]]p'. 


(1):  Cf  HAUp=A  e A=CfHe]]p' 


(2) :  Cf[[x]lp=p(x)p|S 

(f[[x3p'=p'(x)p'|S 

Now  pop'  »>  p(x)o,p'(x)  =>  p{x)(p[p(x)/x])  Ep'(x)(p'[p'(x)/x]) 

=>  p(x)(p)  e p'(x)p'  by  lemma  8 beiow 

(3) :  (f[[fn[el;...;en]]p=3:[[fn]p((f[[e1]]p (f[ejp) 

sSlfnUp^Cf-HeJp' ffHeJp') 

=(£[[fn[el;...;en]Up' 

(4) :  Cf{[[e11-*e|2i...;eni-*eflZ]]]p=(Cf[[e,1]]p-*(f(IeI2]]p (f Een. ]]p -+(*![ en2]]p> 

£ He 1 1 Up He , 2 ]]p H en , ]]p '-»(f  [[en2 Ip ') 
=®E[e,  1-*e12;...;enl-+en2]Up' 


(5>;  5[[fUp=FeF=5[[fUp' 

(6) :  5f[f]]p-p(f>p|Fun 

5TlfUp'=P'(0p'|Fun 

and  p(f)p  e p'{f)p'  as  in  (2)  above, 

(7) :  3?[[A[[x1;...;xn]:e]Up=^s11...Isn.(fI[eUp[sl/x1]...[sn/xn] 

5CA[[x,i...;xn]je]Up'=As, 8n.(f[[eUp'[e1/xl]...[8n/xn] 

so  it  suffices  to  show  p[8,/x,]...[8n/xn]op'[Sl/Xl]...[sn/xn] 
and  for  this  it  suffices  to  show  Ap,( 8,  inD)ox'Ap.(s,  in£>) 
i.e.  pop'  =>  (Ap.s.Xp^Ap.sJ/x,])  E (Ap.8,)(p'[(Ap.p)/x,]) 
i.e.  pop'  =>  8,  e s,  - which  is  true. 


m 


15 


(8);  5llabel[fjfn]]lp=Y(Ff(3:ifn]))p 
5([label[f;fn]]p'-Y(Ff(ffl[fn]))p' 
hence  result  by  lemma  7. 

QED. 

Lemma  8 
Vp,x.  p=p[p(x)/x] 

Proof 

Follows  trivially  from  definition  of  "p[p(x)/x]M  and  strictness  of  p. 

QED. 

Theorem  3 below  shows  that  if  v$(e)  is  the  set  of  free  variables  in  e then  in  the 
abstract  sense  discussed  above  the  free  variables  of  (f[[ej  "are  included  in"  vs(e). 
The  following  lemma  is  needed  for  the  proof.  The  definitions  of  $ and  =x  are  on  page  7. 

Lemma  9 

(1)  Vv,X,Y.  [ 4>(v,X),  XcY  =>  4>(v,Y)  ] 

(2)  Vd.  4((*p. d),{}) 

(3)  Vv,x,X.  [ 4<vfX)  =>  $(Y(F„(v)),X\{x})  ] 

Proof 

(1) :  Trivial. 

(2) :  Trivial. 

(3) :  I show  4>(v,X)  =*>  4>(F„(v)n(j.),XU{x})  by  induction  on  n.  Assume  4>(v,X). 

n=0:  4>(i.,X\{x})  is  clearly  true. 
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n>0;  Assume  true  for  n-1. 

$.<Fx<v)"(x),X\{x})  <->  p=x'wp'  =>  Fx(v)"(x)p=Fx(v)"(x)p' 

<=>  p=XM,!p'  ->  v(p[F(v)n-‘(i.)/x])=v(p'[Fx(v)n-1(x)/x]). 
<=  p=x^">p'  =>  p[Fx(v)n'1(x)/x]=xp'[Fx(v)n-1(x)/x]) 
which  is  true  by  induction  and  (1)  above. 


aED 


Theorem  3 

Ve<.<form>.  $((f[[e]],vs(e)) 

Ve*<function>.  $(3[[fn]],vs(fn)) 

Proof 

A straightforward  structural  induction  works.  Let  vs (e)cX. 
e=x: 

Must  show  p=V  =>  p(x)p=p'(x)p'.  Now  vs(e)={x}cX  so  if  p=xp': 
p(x)=p'(x)  and  4><p(x),X)  hence  p(x)p=p(x)p'=p'(x)p'. 

e=A: 

Must  show  p=xp'  ->  Cf[[A]]p=(f HaUp'  - which  is  clearly  true. 
e=fn[e  ,;...;en]: 

we  have  by  induction  that  #(55|[fn]],v8{fn))  and  *{(£[[ ejj.vste)). 

Hence  by  lemma  9 $(ft[[fn]],X)  and  $(ff[[ei3,X)  as  vstfnl.vste^cvstelcX. 
So  if  p=xp'  then  8[[fn]lp=3r|[fn]]p'  and  G[[eJp=(fHe,]]p' 
and  hence  (?[[e]]p=(?L  e]]p'. 

e=[e  | |-*el2;— ;en|-*en2]: 

Argument  as  above. 

Now  let  vs(fn)cX. 


fn=f: 

Similar  to  "e=x"  case  above, 


fn=F: 

Similar  to  "e=A"  case  above, 
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fn— A[[x,;...;Xn];e]: 

ffEx[[x,;...xn];e]]]p  = ^e,,...,en:5.(f  Ce]jp[ej/x1]...[en/xn] 

vs(fn)=vs(e)\{x ,xn}  so  ve(e)cXl){x„  ,x„}. 

Now  by  lemma  9(1,2)  if  Y=XU{xlr..,xn}  then 

p=V  =>  p[sj/xl]...[8n/xJ<3vp'[sl/X|]...[en/xn] 

so  as  4((f[[e]],vs<e));  (fCe|p[Si/x1]...[sn/xn]=(f[[e]Ip'[sl/x1]...[sn/xn]. 

fn=label[f;fn,]: 

We  have  by  induction  4((J[[fni Ivstfn^)  where  v$(fn,)\{f}=vs(fn)cX. 

So  by  lemma  9(3)  and  induction  4>(tSl[fn]],vs(fn1)\{f}) 
hence  $(o,[[fn]],X). 

QED. 

As  an  application  one  can  show  that  adding  new  definitions  to  an  environment  doesn't 
change  the  values  of  the  old  ones  as  long  as  previously  used  variables  aren't 
overwritten.  This  is  an  important  lemma  needed  in  proving  the  correctness  of  eval. 
Here  it's  a trivial  consequence  of  Theorem  3 but  originally  (see  [1])  it  needed  a long 
ad-hoc  proof  which  confused  general  arguments  with  LISP  specific  ones.  To  see  how  it 
follows  consider  an  environment  p which  defines  a set  of  functions  all  of  whose  free 
variables  are  included  in  Xc/cf.  Suppose  x is  a new  function  not  included  in  X.  We  wish 
to  show  that  if  e is  a form  (or  function)  then  as  long  as  vs(e)cX  (i.e.  e only  uses  the 
old  functions)  we  have  for  any  v:  ftHej]p=(fc[[eUp[v/x].  But  ^is  's  now  *riyial  for 
‘S’ftf'CeiLX)  and  p=xp[v/x].  Saying  this  formally  yields  the  following  theorem  (in  which 
"p[v/x]"  above  is  replaced  by  "p'"). 
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Theorem  4 

Suppose  p,p'iEnv,  e«form>  are  such  that  for  some  Xc Id  we  have; 

(1)  Vx(X.3fn,«<function>,  p(x)=p'(x)=3r[[fnx]]  and  vs(fnx)cX. 

(2)  vs (e)cX 

then  (f[[ellp-(flle]]p'. 

Proof 

By  theorem  3 4((f[[e]],X)  and  p=*p'.  The  result  follows  from  the  definition  of  $. 
QED. 


6.  Existence  of  Predicates 

In  all  the  above  the  existence  of  the  predicates  has  been  assumed. 

However  this  existence  cannot  be  deduced  immedeately  from  the  recursive  definitions 
as  the  predicates  being  defined  arn't  necessarily  monotonic  . The  existence  proofs  to 
be  described  are  directly  based  on  techniques  developed  by  Robert  Milne  [5],  Similar 
methods  have  recently  been  independently  discovered  by  Reynolds  [7].  For  the  current 
purposes  it's  only  necessary  to  know  that  the  required  predicates  exist,  however 
Milne's  work  shows  one  can  expect  them  to  be  unique  also.  I havn't  checked  this  for 
the  predicates  used  here. 

We  define  by  induction  on  n predicates: 

c EnvxEnv 
C t^D 
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and  then  set; 

pop'  <=>  Vn.  p<np' 
vo* v*  <=>  Vn.  voxnv' 

it  follows  (details  below)  that  satisfy  the  desired  equations  and  are 

directed-complete. 

Definition  3 

p«np'  <=>  Vx.  p(x)o*np'(x) 

VO*0V'  <=>  V(i.[v0/x])  E V'U[v'/x]) 

v<,*n.|V'  <=>  Vp,p'_  [ ponp»  =>  Vn„(p[v/X])  EV'(p'[v'/x])  ] 

The  following  two  lemmas  are  needed  to  prove  Theorem  5 below. 

Lemma  10 

(ln)  Vp,p'.  [ p«n(1p'  =>  p<„p’  ] 

(2n)  Vp.p'.  [ p<3„p'  =>  pn4lontlp'  ] 

(3n)  Vv,v'.  [ vo*n4lv'  =>  voxnv'  ] 

(4n)  Vv,v'.  [ vo*nv'  =>  vnoxn,,v'  ] 

Proof 

I show  that  (30)  , (40)  , (3n)=>(ln)  , (4n)=>(2„)  , (2n.,)=>(3n)  , < 1 ,)=><4n) 

(30);  Munt  shew  v<3x,v'  =>  vox0v'.  Clearly  jl<j0jl  and  we  have: 

V<JX,V',  ±O0JL  =>  V,(JL[V/X])  E V'(JL[v'/x]) 

=>  V(l[v0/X])  E V'U[v'/x]) 

<=>  vox0v' 


(40):  Must  show  v<j‘0v'  =>  v0ox,v*. 

Assume  v<jx0v'  and  p<s0p'. 

Must  show  v0,(p[v0/x])  = v'(p'[V'/x]) 
i.e.  v(±)  = v'(p'[v'/x]) 

but  v(x)  £ V(±[v0/x])  E V'(i[v'/x])  E V'(p'[v'/x]). 

<3n)  =>(  1 n):  Assume  (3„).  To  show  (ln)  let  p^.iP'- 
Must  show  p<np'  i.e.  Vx.p(x)<3,„p'(x). 

But  if  p«n4|/)'  then  Vx.p(x)«x„4lp'(x)  so  Vx.p(x)<\p’(x)  by  (3n). 

^„)=>(2n):  p«„p'  <=>  Vx.p(x)«xRp'(x) 

=>  Vx.p{x)n<,(Ulp'(x)  by  (4„) 

=>  V x.pn.,(x)«xn.,p*(x ) 

=>  VX'Pn.|<ruiP' 

<2n.,)=>(3n):  Assume  (2n.,).  To  show  (3n)  let  voxn,(V'  and  pv,p'. 

Then  pn<y>'  from  (2%1). 

So  vn.,(pn[v/x])  e v'(p'[v'/x]) 
v(pn[vn/x])  e v»(p»[v*/x]) 
hence  vn(p[v/x])=v(pn[vn.,/x]) 

£ Wpn[vn/x]) 
c v'(p'[v'/x]). 

( ’ n-i)=>(4n):  Assume  (ln.,).  To  show  (4„)  let  vc*nv'  and  ponp'. 

Then  p<ViP'  so  vn(p[v/x])  e v'(p[y/x]) 
hence  < vn)n.,(p[vn/x])=v(pn[vn.1/x]> 

=Vn<P[v/x]) 

E V'(p[v'/x]) 


QED. 


Lemma  11 

If  {v*}  is  directed  then  [ [V*.  v^v']  ->  [(U^vJ^v']  ]• 

Proof 

Cases  on  n: 

n-0:  vt,«V'  <->  v*(±[v*0/x])  e v'(p[v'/x]> 
so  U*v*U[U*v*0/x])  e v'(p[v'/x]). 

n>0:  Let  p«„.,p#  then  V*.Vx.  v^fp^/x])  = v'(p'[v'/x]) 
so  (LLvJn(p[U*vJx])  e v'(p'[v'/x]) 
hence  U^oV'- 

QED. 


Theorem  5 

o and  <3*  are  directed-complete  and  satisfy; 
pop'  <=•>  Vx.  p(x)oKp'(x) 

v<*v*  <■>  Vp,p*.  [ pop'  ->  v(p[v/x])  = v'(p'[v'/x])  ] 

Proof 

To  show  o*  directed-complete  we  have: 

Voc.v^o'v'  <=>  Voc.Vn.  v^o^v' 

<=>  Vn.Voc.  v^o^v' 

->  Vn.  by  lemma  1 1 

<=>  U^v^ov' 

Showing  [ [Vrf.voV'J  =»>  [vo«(U*v'J]  ] is  trivial. 

The  directed-completeness  of  o follows  directly  from  its  definition  and  the 
directed-completeness  of  o*  for  all  x. 
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To  prove  the  rest  of  the  theorem  we  have: 

pop*  <=>  Vn.Vx.  p(x)<\p‘(x) 

<=>  Vx.Vn.  p(x)«\p‘(x) 

<->  Vx.  p(x)<ixp'(x) 

To  show  v<j'v'  =>  Vp,p'.  [p<3p*  =>  v(p[v/x]>  e v'(p'[v'/x])]  assume  vo**  and  pop’. 

Tnen  Vn.  vo^v^pop' 

so  vn.,(p[v/x])  e v'(p'[v'/x]) 

hence  union:ng  over  n:  v(p[v/x])  e v'(p'[v'/x]). 

To  show  Vp,p'.  [p<ip*  =>  v(p[v/x])  e v'(p'[v'/x])]  =>  v«xv'  assume 
pop*  =>  v(p[v/x])  e v'(p'[v'/x]),  I show  Vn.  v«*nv'  by  induction  on  n. 

n = 0:  ±<J±  so  v(  j.[v/x])  E v'(x[v'/x])  so  v(x[v0/x])  E vU[v/x])  E v'(jl[v'/x]) 

30  V«X0V. 

n>0:  By  lemma  10:  pop'  =>  p«nAp’  =>  p*np'  =>  Vm.  p^mp'. 
so  pn<»p'. 

hbnce  v<pn[v/x]>  c v'(p' lv'/x])  so  vn(p[vn/x])  E v(pn[v/x])  E v'(p'[v'/x]). 

Thus  v<3xnv'. 

So  Vn.  voxnv'  and  hence  vo’v'. 

aED. 


The  construction  of  $ and  =x  is  very  similar  to  the  construction  above.  As  before  we 
start  by  defining  "finite"  approximations  to  the  relations  viz. 

Definition  4 

$n(v,X)  <=>  VY,p,p'.  [ XcY  =>  [p=Ynp'  ■>  vn(p)=vn(p')]  ] 
p=x0p'  = true 

p=*n4lp'  <=>  Vx<X.  pfx)=p'(x)  and  4p(p(x),a) 


We  then  prove  a lemma  similar  to  lemma  10  viz. 
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Lemma  12 

<ln)  Vv,X.  [ *ntl<v,X)  =>  4n<v,X)  3 
<2n)  Vv,X.  [ 4n<v,X)  =>  KM)  3 
<3„)  Vp,p-,X.  [ p=x„.,p'  ->  p=x„p-  ] 

W Vp,p-,X.  [ p=*„p'  ->  p1,=xn.,p'  ; 

Proof 

Same  as  iemna  10  (mutatis  mutandis). 

QED. 

From  this  it  follows  that  if  we  define  4 and  =*  by: 

$(v,X)  <=>  Vn.  4n(v,X) 

P=V  <=>  Vn.  p=*np' 

then  4 and  =x  have  the  desired  properties. 

7.  Concluding  Remarks 

We  have  presented  above  a partial  axiomatization  of  dynamic  binding.  What  has  been 
shown  is  that  if  v</Env->D/  satisfies  v«v  (i.e.  is  regular)  and  4(v,X)  for  some  Xc Id 
then  useful  theorems  follow.  What  is  left  open  is  just  how  many  other  axioms  will 
eventually  be  required.  To  answer  this  we  need  first  to  know  which  theorems  we  want 
and  to  answer  this  we  must  attack  "real”  problems  such  as  the  correctness  of  compilers 
and  interpreters.  Doing  this  should  reveal  the  general  theorems  about  dynamic  binding 
that  must  follow  from  any  adequate  theory. 
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The  theorems  proved  here  are  not  yet  general  enough.  For  example  if  we  consider 
the  obvious  extension  of  the  semantics  tr  handle  funargs  (see  [1])  then  the  proofs 
that  (F[[e]]  and  8[[fnJ  are  regular  fail.  In  fact  by  replacing  the  occurences  of  " = " 
in  the  definitions  of  v3*  and  * by  another  predicate  (which  needs  to  be  defined 
recursively)  it's  easy  to  cover  this  case.  Unfortunately  I don't  at  present  see  a 
uniform  way  of  defining  and  + to  cover  all  useful  D. 

Having  to  separately  prove  the  existence  of  all  predicates  is  a big  nuisance.  One 
step  toward  a general  justification  of  recursive  predicate  definitions  has  been 
provided  by  Milne  and  Reynolds.  Both  give  uniform  accounts  of  how  to  construct 
recursive  predicates  from  their  defining  equations.  In  fact  the  constructions  given 
above  are  (more  or  less)  instances  of  Milnes  techniques.  It  would  help  a lot  if 
syntactic  criteria  on  definitions  could  be  developed  to  decide  if  the  things  purported 
to  be  defined  actually  exist.  Milne  [private  communication]  ha6  made  progress  toward 
this  by  analysing  the  structure  of  some  of  the  expressions  which  occur  in  definitions 
and  showing  that  these  legitimate  instances  of  his  general  construction. 

It's  clear  that  many  of  the  above  proofs  can't  be  done  in  existing  formalisms  (eg  LCF) 

- the  required  predicates  can't  be  defined  in  them.  One  way  to  fix  this  would  be 
to  develop  extensions,  another  would  be  to  develop  a translator  from  proofs  using 
predicates  to  proofs  which  don't.  The  latter  probably  won't  be  adequate  because 
theorems  may  require  the  use  of  predicates  in  their  statement  at  the  general  level 
(even  if  all  their  useful  instances  don't). 
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